Canvas Defaced During Finals: Same Hole as Prior Breach

Canvas was defaced during finals week, and Instructure has now confirmed the May 7 attackers used the same vulnerability as the prior week's breach. The Free-For-Teacher account tier has been temporarily shut down. Instructure said the unauthorized actor exploited an issue related to Free-For-Teacher accounts, which is the same issue that led to the unauthorized access the prior week. Per Instructure, no new data was taken on May 7 — the attackers got in to deface the Canvas login page, not to exfiltrate. Schools in the U.S., UK, Australia, New Zealand, Sweden, and the Netherlands reported outages, with 44 institutions in the Netherlands alone on the affected list. In the U.S., the list includes Penn, Princeton, Duke, Northwestern, Ohio State, Texas, Florida, and Baylor. James Madison, SMU, Virginia Tech, UMass Lowell, and others rescheduled finals; several Australian universities are offering assignment extensions. A source close to the investigation told Krebs On Security that a number of universities have already approached ShinyHunters about paying. The deadline is still May 12. Sources: https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/ https://therecord.media/universities-forced-to-reschedule-exams-canvas-incident https://www.malwarebytes.com/blog/news/2026/05/shinyhunters-escalates-canvas-attacks-with-school-login-defacements https://en.wikipedia.org/wiki/2026_Canvas_security_incident More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #shinyhunters #databreach